JP2006178521A - Digital forensic method and forensic it security system - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide digital forensics capable of efficiently executing identification of an illicit actor in a method capable of verifying evidential property with the reliability of identification being hardly influenced by human elements. <P>SOLUTION: Continuous monitoring 1 is performed in the stage of network forensics 12, and filtered 2 in a predetermined condition to detect abnormality. In the event of abnormality 4, log analysis 5 is performed to the abnormality to narrow down the outline of the abnormality and an object terminal. An examination object terminal 6 that is the narrowing down result by the network forensics 12 is obtained, and the process is transferred to the stage of computer forensics 13, in which perpetuation of evidence 7 of the narrowed down terminal is performed, and analysis 8 is executed to data for the perpetuation of evidence. In the analysis 8, examination priority order is determined in reference to a log analysis result 5 to efficiently progress the examination. An evidence report 9 for the fact obtained by the analysis 8 is finally created. <P>COPYRIGHT: (C)2006,JPO&NCIPI

Description

The present invention relates to a security system that prevents unauthorized use of data such as information leakage in an organization such as a company or a public office, and enables early appropriate responses in the event of an accident, particularly in cooperation with IT technology and forensic technology. The provision of a forensic IT security system.

[Current status of digital crime]
It is no exaggeration to say that digital devices are involved in all forms of crime in the advanced information society. For this reason, law enforcement agencies such as the police, prosecutors, and courts position digital devices such as personal computers as important evidence that should be preferentially acquired like fingerprints. Crimes involving digital devices now spread not only by hackers, but also by people who do not have much IT knowledge. Under such circumstances, digital forensics, which is a means to solve the legal problems by acquiring and analyzing high-tech equipment data while maintaining the evidence using advanced technology, has become a spotlight in the information security world. Have been bathed.

In the following, we will first explain how important the digital forensic technology and the forensic tools developed by that technology are in solving legal problems in the information society. In addition, the use of digital forensics in the prevention of information leaking crimes by insiders and the identification of suspects, which has been a problem in recent years, and the situation in the United States where it has been developed are described together with the forensic IT of the present invention. The digital forensic technology will be described as the background technology of the security system.

[Frequent internal crimes and conventional IT security problems]
The advent of the personal computer age due to the development of the information society has brought about a situation in which all crimes involve digital devices in some form. For this reason, law enforcement agencies such as the police, prosecutors, and courts have come to recognize personal computers as digital fingerprints and, like fingerprints, as important evidence that should be preferentially acquired.

Recently, corporate information leak cases are often reported. Most of these incidents are not due to intrusions from the outside, but are examples of work from the inside, and we finally feel that we must take full-fledged measures against internal crimes. Compared with criminals entering from outside, insiders can easily take out important confidential information such as customer data, technical information, financial information, product cost information, etc., so the amount of damage caused by internal crimes from outside It is much larger than that caused by intruders. Moreover, internal crime is not only a problem of the amount of damage, but also a characteristic that it develops into a serious problem that requires the trust of the company itself.

Current mainstream information security focuses on defense, such as intrusion prevention, intrusion detection, leak prevention, and leak detection. Such a technique for protecting a computer system against external threats is disclosed in, for example, Patent Document 1 entitled “Network Intrusion Detection System and Method”. On the other hand, as a technology that can contribute to the suppression of internal crime, a technology for automatically acquiring and storing logs has been developed. A log is defined as a record of the usage status or data communication of a terminal (such as a PC) and the record thereof. The log records the operation of the terminal, the date / time when the data was transmitted / received from the terminal, the contents of the transmitted / received data, and the like. Therefore, since it is possible to easily investigate which terminal has invaded the server and how by the log, it is possible to easily investigate the intruding terminal. Nonetheless, threats such as information leaks due to internal crimes will not disappear, and there will be no tendency to decrease. This means that the conventional method is inadequate in crime deterrence because it is insufficient in the ability to connect the terminal and the criminal and identify the criminal.

[Appearance of digital forensics]
Digital forensics is a technique that makes it possible to identify who used a terminal device. The word forensics is not very familiar and often talks about the meaning of the word. In Japan, however, the terms forensic science, criminal science, and forensic science, which are almost synonymous with forensics, have been used for a long time.

In the US law enforcement, positioning the ability to investigate digital devices as the most important issue, and a high-tech crime investigation team has been established since the late 1990s. The established method has a great influence on the current digital forensics. Digital forensic technology must have the conditions of evidence in court, and mere technical digital data survey methods (such as data salvage) are not sufficient. Data obtained with digital forensics must retain legal evidence capacity, which must be proven in court. Indeed, forensics needs the elements of words translated as forensic science.

[Digital Forensic Technology]
<< Speciality of digital data >>
There are various barriers to investigating and documenting digital data. In order to investigate, it is necessary to access a digital device in which data is stored, but if it is accessed easily, there is a high possibility of losing much evidence. A feature of digital data is that it is highly volatile and can be easily tampered with.

For example, if a PC (personal computer) where evidence data is stored is inadvertently operated, a trap (罠) may be set by the criminal's intention to delete the evidence data. . Windows (registered trademark) also has a function to change the time stamp with just a normal operation such as turning on the PC. Easy access to data, whether intentional or not, loses evidence. With danger. In addition to the loss of evidence data, changes in the time stamp after the start of the investigation are considered to be some sort of information manipulation by the investigator, losing the legal evidence capability, so digital forensics is a very delicate task. Necessary. Easily accessing data is considered equivalent to an investigator touching an object with a suspect's fingerprint. FIG. 7 is a diagram showing the time stamp update status before and after activation.

Similarly, various barriers exist at the stage of data analysis. For example, when actually analyzing HDD (Hard Disk Drive) data, the enormous amount of data stands out as a barrier. If 15GB of data is printed on paper, the amount can be stacked to the same height as the Empire State Building. Considering the number of files, the number is from tens of thousands to hundreds of thousands of files. Not only that, there are also barriers when the evidence data has been erased, or the file being investigated is password protected. If such a large amount of difficult-to-access data cannot be efficiently investigated in a short time, evidence for solving a legal problem cannot be obtained.

And the results of overcoming various barriers, obtaining evidence, and analyzing must finally be approved by the court. It is also important to have a judge, a partner attorney, and in the future, a judge judge the validity of the evidence. It can be said to be a big difference from the work such as data salvage that is usually done in the IT world for the purpose of solving legal problems of forensics.

《Digital Forensic Process》
Digital forensics is divided into three processes: evidence preservation, analysis and reporting (forensic presentation).

《Evidence preservation》
Digital data is very volatile and tends to be more likely to be lost or altered over time. Similarly, easy access to evidence data will be tampered and lost. Therefore, it is necessary to secure evidence data in a short time. Evidence preservation is the work of securing evidence data while maintaining legal conformity. Specifically, the evidence HDD (Evidence) is prepared separately from the data stored in the HDD (Target Drive: TD) of the PC to be maintained.
Drive: Hereinafter referred to as ED. ). Ensuring the identity of TD data and ED data and enabling proof of identity are two important considerations in the reproduction.

Securing data while a general-purpose OS such as Windows is running has the risk of changing the time stamp or activating a fraudster trap. Therefore, in order to ensure the identity, it is necessary to perform replication without starting the general-purpose OS. Windows already installed on the PC
As a specific example of replication without starting up a general-purpose OS, etc., replication is performed by removing the HDD on the PC from the PC, or by starting up the PC using a special OS dedicated to digital forensics, and performing replication in that state (In this case, the TD is not tampered even when connected in the PC.) FIG. 8 is a diagram showing a method of copying directly from the HDD, and FIG. 9 is a diagram showing a method of starting a special OS and copying data on the HDD from the PC via USB / FireWire.

On the surface, there is a possibility that the suspect intentionally hides the data in an area where no data is stored, or there is erased data or the like in the area. That is, there is a high possibility that important data as evidence is hidden in an area where data is not stored on the surface. Therefore, physical copy (physical copy) is always required for evidence preservation. The physical duplication is not a duplication of only a portion where data is stored, but a duplication performed for each sector over the entire area of the HDD. FIG. 10 is a diagram for explaining the importance of physical copying.

In the process of preservation of evidence, first, the residual data of the HDD (ED) that is the copy destination is completely erased. As an erasing method, DoD
A US Department of Defense compliant method called Wipe is usually adopted. By erasing the remaining data on the HDD (ED) using the DoD Wipe method and making a physical copy on the deleted HDD, a 100% identical copy (ED) can be created. In this duplication (ED), contamination of the duplicated data by residual data can be prevented. Direct access to the ED must be avoided for analysis. Access for analysis, etc. is performed on the HDD that further duplicates the ED. FIG. 11 is a diagram for explaining an evidence preservation process. The procedure for preservation of evidence is shown below.

Evidence preservation work requires a forensic tool that provides a particularly high conservation environment. Forensic tools can be either software-based or hardware-based. Software-based forensic tools require new equipment such as PCs, cables, and write protection devices to drive the software during work. In addition, there are applications other than forensics in the prepared PC, and the possibility of data contamination cannot be denied. In contrast, hardware-based forensic tools can provide evidence preservation with only that tool, and therefore can provide a very high conservation environment. In addition, the transfer speed during duplication is much faster than the software-based forensic tool, and the hardware-based forensic tool is overwhelmingly fast and very effective at the maintenance site where work must be completed in a short time. It is. Therefore, a hardware-based forensic tool is regarded as a standard for the evidence maintenance work tool (Non-Patent Document 1).

"analysis"
If the ED obtained through evidence preservation is directly analyzed, the ED data may be accidentally destroyed during the analysis process. Therefore, the ED is further copied to the analysis HDD, and the analysis is performed on the analysis HDD.

In the analysis, first, the data acquired by evidence preservation and recorded in the analysis HDD is converted into analysis data by the analysis conversion software. The analysis data is data in the analysis file format obtained by converting the file format from the data file recorded in the analysis HDD. The analysis is performed by processing the analysis data with analysis software. By analyzing the data for analysis, it is possible to perform operations that are normally restricted on Windows, such as when the partition is cut, erased data, or access to the registry protection area. FIG. 12 is a diagram for explaining the investigation of the registry protection area.

Analysis by the analysis software includes password analysis. In the password analysis, a word or phrase that the suspect may use is determined in advance, and a dictionary search or brute force analysis is performed by searching for the word or phrase. However, in the analysis by brute force attack, if the password is random and the number of digits is large, the analysis of the password is physically impossible. On the other hand, since random passwords with a large number of digits cannot be stored by humans, there are many cases where a memo is left somewhere, so it can be said that it is more effective to search for the memo. Therefore, the priority of brute force analysis by analysis software is low in forensic work. FIG. 13 is a diagram illustrating an example of screen display in the forensic tool for password analysis.

Since it is necessary to perform analysis for a large amount of data in a short time, various ingenuity has been made for the search method. FIG. 14 is a conceptual diagram showing an example of analysis software of the database reconstruction method.

《Proof of evidence preservation》
What should always be noted in all processes of digital forensics is proof of data identity and continuity of storage. Prove the identity by showing a hash value using a hash function at the time of every work and copy, log all work, and who, when, what data, how and what at the time of forensic work Keep a record of what was happening. Also, a write protection device is required to prevent each data contamination.

《Forensic Presentation》
Because forensics is a means of solving legal problems, it does not make sense if the material obtained through complete evidence preservation and analysis is not accepted as evidence in court. Some court officials are not familiar with IT, so they must explain each process of evidence preservation and analysis so that they can be satisfied with the integrity of evidence preservation and analysis. Therefore, presentation technology that anyone can understand is necessary. What is necessary for the content of the presentation is to reproduce the situation up to the acquisition of evidence data and prove that the data is evidence to support the suspicion. Specific examples of presentation techniques include using video or reproducing data recovery on the fly using forensic tools.

[Forensic Tool]
《Capabilities required of forensic tools》
The use of forensic tools is indispensable in order to carry out the work for solving legal problems in a fast and reliable manner considering the characteristics of digital data. The two most important performance requirements for forensic tools are:
A. The obtained data retains legal evidence ability.
B. The content and evidence of the survey results are less dependent on the factors of the people involved in the survey.

Furthermore, in order for the forensic tool to satisfy the above performance, the following conditions must be satisfied in the forensic execution process.
a. Not affected by external factors.
b. Do not pollute the data.
c. Mirror image with 100% duplication (physical duplication).
d. Continuity of storage

《Importance of commercial forensic tools》
Forensic tools include commercial tools and free tools. In Japan, free tools are often introduced as forensic tools, and since there are no conferences that show commercial forensic tools like Europe and America, free tools are relatively well known. Therefore, here we will explain the importance of commercial tools from the perspective of solving legal problems.

The results obtained using forensic tools should be similar to any investigator doing. If the result is different, it means that there is a difference in whether or not the investigator can identify the fraudster, which means a defect in evidence. In addition, in order to solve legal problems, it is necessary to prove the legality of the forensic work that has been done so far in the courtroom, and it may be difficult for the investigator alone to deal with it.

In order to reduce the dependency of the survey results on the survey operator, the following points should be noted regarding forensic tools.
(1) Technical backup of results obtained from tools (2) Management of versions, etc. (3) Management of necessary tools and options, etc. (4) Maintenance of usage, manuals, version management

Commercial tools have these conditions and guarantee technical performance, so they can be said to be suitable as tools for solving legal problems. Those who specialize in forensic work, called forensic experts in the United States, use not only commercial tools, but also free tools, and cannot tell whether commercial tools or free tools are better. However, as digital devices become so widespread and the number of litigation issues related to digital data increases, more investigators who can perform forensics are also required. However, it is also true that commercial tools need to be supported so that everyone can achieve the same results as forensic experts.

[Utilization of forensics considered from the Western situation]
<Utilization of digital forensics>
The development of IT technology has made digital devices popular, and even in conventional crimes that are not high-tech crimes, digital devices such as PCs were the subject of investigation. In addition, the rapid increase in the need for internal crime deterrence and initial response after fraud in companies has made it virtually impossible to rely on law enforcement for all events. In particular, there is no choice but to conduct investigations in the absence of incidents and internal audits for deterrence other than by organizations such as companies and government agencies themselves. As a result, there has been a growing demand for the introduction of security systems using digital forensics by organizations (hereinafter referred to as forensic security systems).

With the introduction of the forensic security system, it is possible to investigate inside the organization whether or not it should be prosecuted, and report the result to the police. In the United States, the government is instructing companies to conduct forensics themselves. Forensic investigation (referred to as auditing or monitoring) regarding terminals that are regularly used by persons who have authority to access important data, department transfer / transfer / retired persons, or those who have some concern in the organization Is sometimes effective for preventing incidents. In addition, the accumulation of data through regular periodic surveys before the incident occurs facilitates early resolution of the incident after the incident. Early provision of information and resolution of incidents after the incident is discovered is extremely beneficial in avoiding the risk of losing corporate credibility.

In addition, forensics is not only an incident response in the sense of a reactive response, but also prepared not only for a quick response by a prior audit, but also for a normal audit itself. Acts as a deterrent. The following shows the role of forensics in time series. In the stage before the incident, the forensics are performed as a regular audit, in which all three forensic processes of evidence preservation, analysis, and reporting are performed.

After an incident occurs, evidence preservation and system recovery called incident response are first performed as forensics immediately after the incident. Subsequent forensics includes analysis of incidents using preserved evidence, reporting the results of the analysis, and forensic presentations as necessary. Such forensics solves the legal problem related to the incident (Non-patent Document 2). As seen in the forensic process described above, it can be seen that forensic should be routinely performed in IT security. FIG. 15 is a diagram illustrating a time-series process in digital forensics.

《Lack of forensic specialists》
Currently, both companies and public offices are making IT into all systems. It is no exaggeration to say that there is no digital data involved in all legal problem-solving work between companies. Therefore, in order to solve these problems, the US recommends that legal experts and corporate defense teams have experts called forensic experts. However, even in the United States, which is a developed country of digital forensics, the number and qualities of its experts are not always satisfactory, and it is important to secure, evaluate and employ experts. (Non-patent Document 3). Considering the degree of IT penetration, there is no doubt that our country is in exactly the same situation, and measures to make up for the shortage of forensic specialists are an issue.

《Forensic Lab》
In forensic activities, the work that can be done in the field is limited, so most of the work is actually done in a forensic facility called a forensic lab. The Forensic Lab is a central facility where various activities such as research and experiments are conducted in addition to supporting high-tech crime investigation activities. It requires a completely exclusive environment that can maintain the evidence of the data obtained through forensic activities.

The forensic lab consists of the evidence preservation room, analysis room, audio analysis room, presentation creation support room, host computer room, evidence HDD and forensic report DVD storage room. The entire forensic lab is not connected to any external network, and information leakage due to electromagnetic leakage is prevented. In addition to isolation from the outside, it has been devised so that evidence data handled in the lab is not cross-contaminated.

<Handling of digital data that requires international standardization>
With the spread of the Internet, information exchange using digital data has become free across borders when the world is connected by a network. Information disclosure is performed with digital data, and when digital data is presented internationally, it is necessary to retain its legal evidence. Easily handling digital data and losing evidence is regarded as evidence concealment, which can occur in legal matters between companies and countries.

Therefore, it is necessary to determine how to handle digital data as an international standard. In Europe and the United States, these movements are already underway (CTOSE: Cyber Tool On-line Search for Evidence and IOCE: International
Organization on Computer Evidence). In Japan, Digital Forensics Study Group (President: Shigeo Sakurai, President of Information Security Graduate School) was established in August 2004, the first academic society specializing in forensics. This study group is also expected to serve as a window for international standardization and cooperation with Western countries.

Forensic IT has become indispensable for IT-developed countries where the exchange of digital data has become a daily routine. As IT technology develops, the convenience of the world increases, and various problems caused by the technology also arise. However, even if problems arise, mankind will solve those problems and realize an ideal society that is safe in addition to convenience. Forensics, which solves legal problems using advanced technology, is an extremely important element in maintaining the safety of IT technology.

JP2002-342276 Jonathan Pacewiczh, “Forensic Hardware” Law EnforcementTechnology Eric Thompson, “Computer ForensicsTools for Terabyte Investigations” HTCIA Conference Larry Leibrock, “Digital Forensics Expert” e-discovery December 16, 2004 NETMARKSSOLUTION CASE STUDY “SOFTBANK BB Corp.”

   The foregoing has described in detail the digital forensic technology that is the background of the present invention. Hereinafter, problems to be solved in the conventional digital forensic technology will be described. Due to the development of an advanced information society, almost all information is exchanged and stored in organizations such as corporations and government offices using digital data as a medium. However, digital data is very volatile and can be easily altered or lost. Also, digital data itself is not visible to humans. Because of these characteristics, it is very difficult to identify a fraudster in a case of unauthorized use of information using digital data as a medium. This difficulty has given rise to awareness of the fact that it is almost a lawless zone for those who commit cheating, and has helped increase the number of those who commit cheating with little guilt. Due to the characteristics of such digital data, it is very difficult to effectively suppress fraud using digital data.

[Network Forensics (Network Monitoring System)]
FIG. 4 is a diagram showing a configuration of a typical computer network in a company that enables forensic network monitoring. This network is composed of a server a, a terminal PC b, a monitoring device c, and a printer / FAX multifunction device d. The monitoring device c is connected to the server a. The network function shown in FIG. 4 is a network forensic function, focusing on the point of automatically monitoring the network. In addition, the computer network in FIG. 4 can be referred to as a network monitoring system in view of the fact that the network can be automatically monitored by forensics. Data e is exchanged between the terminals via the server a. The monitoring device c monitors data and logs passing through the server a and detects an abnormality in the data and logs. The monitoring device c also monitors the work itself at the terminal connected to the network, and detects an abnormality in the work at the terminal.

FIG. 5 is a diagram illustrating a configuration of a network monitoring system disclosed in Non-Patent Document 4. The network monitoring system of FIG. 5 includes an information processing system unit, a log collection & primary log storage unit, and a log collection & secondary log storage unit. In the information processing system unit, client PC logs are collected by network forensics, and logs of various business servers are collected. The PC log audit system, log central management system, and mail archive in the log collection & primary log storage unit process and store the logs collected in the information processing system unit. Logs primarily stored in the log collection & primary log storage unit are stored in the large-scale storage of the log collection & secondary log storage unit. The log collection & secondary log storage unit audits and analyzes the logs processed by the PC log audit system and the logs stored in the large-scale storage. In this log analysis, an abnormality performed in the client PC or various business servers is detected.

The network forensics (network monitoring system) in FIG. 4 or FIG. 5 manages a large number of terminals such as PCs at one time, automatically monitors the network for abnormalities on the network, and considerably narrows down terminals with abnormalities. Make it possible. However, in the network forensics of FIG. 4 or FIG. 5, it is difficult to detect an abnormal behavior performed by a person having the network management authority, and even if the presence of any abnormality can be detected It is usually difficult to identify who has done what, i.e., the fraudsters strictly enough to provide legal evidence.

[Computer Forensics]
FIG. 6 is a diagram illustrating the concept of computer forensics. Computer forensics is digital forensics targeted at individual terminal devices. In computer forensics, evidence preservation i is performed on the data of the target terminal f, usually by physical copying to the hard disk g, and the investigator h performs investigation j on the data. As a result, it is possible to identify what has been done at the target terminal f and who has done it. In the terminal survey, the analysis described above in the background art column is performed, and since this analysis is performed in detail, the fraudulent person can be identified with a very high probability. The analysis is performed in such a way that it is possible to prove the evidence retention of the data acquired in the evidence preservation i as described above in the background section.

However, since investigation by computer forensics must be performed by a person, the investigation of terminals takes time and requires a large number of personnel. When conducting regular audits of organizations such as companies and government offices, there is no means of narrowing down the survey subjects and their terminals, so it is necessary to investigate all terminals. Such a survey is practically impossible. With computer forensics alone, it was difficult to narrow down the terminals to be surveyed, and a considerable part was narrowed down based on experience to narrow down the terminals to be surveyed. Therefore, when the entire computer network was monitored by computer forensics, the disparity due to human factors was very large in the reliability of the finally obtained survey results, and the survey could not be made uniform.

[Object of the present invention]
Network forensics is digital forensics that has already been put to practical use in Japan, and computer forensics is digital forensics developed in Europe and the United States. Both forensic methods have problems, and network forensics can efficiently narrow down terminals that are suspected of fraud, but cannot identify fraudsters. Computer forensics, on the other hand, can identify fraudsters in a way that can prove evidence retention, but it cannot efficiently narrow down terminals that are suspected of fraudulent activity or who operated those terminals. It cannot be applied as a method to efficiently monitor or regularly audit computer networks of organizations such as companies and public offices. In particular, computer forensics is inappropriate as an internal audit when an incident has not yet been detected. Also, if forensic reliability is defined as the degree to which a fraudster finally identified by forensics is a true fraudster, the reliability of computer forensics is the experience and ability of the investigator. Depends on human factors.

Therefore, an object of the present invention is to efficiently monitor a computer network, narrow down suspicious terminals, and efficiently identify fraudsters in a way that can prove evidence retention. Is to provide a digital forensic method and system in which the reliability of the system is not easily influenced by human factors such as the experience and ability of the investigator.

In order to solve the above-mentioned problems, the present invention provides the following means.

(1) A digital forensic method in which network forensics and computer forensics are organically combined.

(2) In the network forensics, a computer network composed of a large number of terminals is constantly monitored, and the log or data regarding any terminal or group of terminals of the computer network is compared with a predetermined condition. The presence or absence of abnormalities in the analysis, analyzing the log of abnormal or abnormal data log in the determination, selecting the terminal or terminal group to be investigated based on the analysis,
In the computer forensics, evidence preservation of the log or data related to the selected terminal or the terminal group is performed, the log or data subjected to the evidence preservation is analyzed, and an unauthorized person in the computer network is based on the analysis. 2. The method of digital forensics according to claim 1, wherein when the identification is made, the fraudulent person and the contents of the fraudulent act are reported.

(3) The method of digital forensics according to claim 2, wherein the analysis is performed by determining the priority of investigation with reference to the result of the log analysis.

(4)
When an abnormality related to E-mail is detected from the log analysis, an E-mail analysis is performed in the analysis. When an abnormality related to a keyword is detected from the log analysis, a keyword search is performed in the analysis. 4. The digital forensic method according to claim 3, wherein, when an abnormality relating to confidential information is detected from the log analysis, the analysis performs an important search relating to an application or a keyword relating to the confidential information.

(5) A forensic IT security system designed to prevent internal crimes in a computer system or promote an investigation by the method according to any one of claims 1 to 4.

According to the present invention, it is possible to efficiently monitor a computer network, narrow down suspicious terminals, and efficiently identify a fraudster using a method that can prove evidence retention. It is possible to provide a digital forensic method and system in which reliability is hardly influenced by human factors such as the experience and ability of the researcher.

Next, embodiments of the present invention will be described, and the present invention will be described more specifically with reference to the drawings. FIG. 1 is a flowchart showing an embodiment of the forensic IT security system according to the present invention, and FIGS. 2 and 3 are diagrams showing the concept of the embodiment. FIG. 2 shows a concept regarding functions, and FIG. 3 shows a concept of hardware configuration. The forensic IT security system of the present embodiment is a digital forensic system in which conventional network forensics and computer forensics are organically combined, as is apparent with reference to FIGS. A forensic IT security system according to this embodiment is a system that takes advantage of each of network forensics and computer forensics and compensates for the disadvantages.

The function of this embodiment will be described with reference to FIG. At the network forensics stage, the entire network of organizations such as corporations and government offices is monitored. Always-on monitoring m detects abnormalities such as unexpected external devices such as USB and CD / DVD being connected, unexpected traffic being performed, login being performed outside the expected time, etc. p. The assumed externally connected equipment, traffic, and time are equipment, traffic, and time that conform to organizational rules and the like. In log / packet capture n, such information is logged, and data is collected by packet capture or the like. The obtained logs and data are compared with predetermined conditions, and “narrowing” q is performed to narrow down which terminal or group has an abnormality. For the terminals that have been narrowed down to some extent by the narrowing-down q, the fraudulent person identification r is performed by conducting a detailed investigation o at the stage of computer forensics l.

Next, the hardware configuration of this embodiment will be described with reference to FIG. In the network forensics unit, the monitoring device c detects an abnormality related to the status being performed at the terminal b or d and the data flowing through the network. In anomaly detection, log and data are confirmed, and suspicious terminals t are narrowed down from a large number of terminals. The suspicious terminal t is a terminal that is suspected of being operated by an unauthorized person. The symbol e represents data. The suspicious terminal t and the log and data on the grounds that the terminal t is estimated to be suspicious are reported to the computer forensics unit. There may be one suspicious terminal t or a plurality of suspicious terminals t. This report is indicated by the symbol s. In response to the report s, the computer forensics section performs digital forensics regarding the terminal t, and identifies an unauthorized person. Digital forensics will provide evidence preservation, analysis and reporting as described in the Background section.

The forensic IT security system of the present embodiment has been characterized by the fact that it has been difficult to identify fraudsters and the details of their actions by network forensics alone, but it has been possible to identify them by combining them with computer forensics. There is. In addition, it was difficult to narrow down the terminals to be surveyed by computer forensics alone, and a considerable part depended on experience. The reliability of computer forensics (the degree to which a fraudster finally identified by computer forensics is a true fraudster) depends heavily on human factors such as the investigator's knowledge and experience, Although the reliability of the survey could not be equalized, this embodiment combined with network forensics makes it possible to narrow down the filter with a certain degree of accuracy by applying a filter under certain conditions. You can improve your sex. Since this narrowing is automatically performed by a filter under a certain condition, the uniformity of the forensic reliability according to the present embodiment is high.

In the network forensics unit in this embodiment, a filter with a certain condition is applied to narrow down the fraudsters. The certain condition in the filter can be arbitrarily selected by an organization that uses this embodiment. For example, the following conditions can be set. This condition is a criterion for determining an abnormality.
(1) When a person other than the predetermined user of the terminal PC logs in.
(2) All cases where an externally connected storage device is connected.
(3) When files designated as confidential information (technical information / accounting materials) are mailed outside the company.
(4) When an e-mail containing a keyword indicating the content specified in the confidential information is sent outside the company.
(5) When logging in to a PC outside the specified working hours of the PC user.

Next, the flow of processing in the present embodiment will be described with reference to the flowchart of FIG. The flowchart of FIG. 1 shows a procedure for finding a fraudster according to this embodiment. In the process of the network forensics 12, first, the constant monitoring 1 is performed. Subsequently, regarding the log and data obtained in the constant monitoring 1, an abnormality is detected by applying a filter 2 under a predetermined condition. This condition is the above (1) to (5). The filter 2 determines that there is an abnormality 4 when any of these conditions (1) to (5) is met. If it is abnormal, the log analysis 5 is performed on the log determined to be abnormal or the log of data determined to be abnormal to narrow down the outline of the abnormality and the target terminal or terminal group.

The investigation target terminal 6 which is a result of narrowing (sorting) by the network forensics 12 is obtained, and the process proceeds to the computer forensics 13 process. The computer forensics 13 first performs evidence preservation 7 for the narrowed terminals. Then, analysis 8 is performed on the evidence-protected data (including the log). In the analysis 8, the survey priority is determined with reference to the analysis result in the log analysis 5, and the survey is advanced efficiently. The fact evidence report 9 obtained from the analysis 8 is a report finally obtained by forensics by the system of the present embodiment.

In the present embodiment, in the maintenance evidence analysis 8 of the computer forensic 13, the analysis result obtained by the log analysis 5 in the network forensic 12 is used. In this embodiment, since the result of the log analysis 5 is used in the maintenance evidence analysis 8 as described above, the maintenance evidence data analysis 8 in the computer forensics 13 can be efficiently advanced. For example, when an abnormality related to E-mail is detected from the log analysis 5, the data analysis 8 performs E-mail analysis. When an abnormality related to a keyword is detected from the log analysis 5, the data analysis 8 performs a keyword search. When an abnormality related to confidential information is detected from the log analysis 5, the data analysis 8 performs a priority search regarding an application or keyword regarding confidential information.

It is a flowchart which shows the forensic IT security system which is one embodiment of this invention. It is a figure which shows the concept of the function in embodiment of FIG. It is a figure which shows the concept of the hardware constitutions in embodiment of FIG. It is a figure which shows the structure of the typical computer network in a company which enabled the monitoring of the network by forensic. It is a figure which shows an example of a structure of the conventional network monitoring system. It is a figure which shows the concept of computer forensics. It is a figure which shows the time stamp update condition before and behind starting. It is a figure which shows the method directly copied from HDD in digital forensics. It is a figure which shows the method of starting the special OS in digital forensics, and copying the data of HDD from PC via USB / FireWire. It is a figure explaining the importance of the physical copy in digital forensics. It is a figure explaining the process of evidence preservation in digital forensics. It is a figure explaining the investigation of the registry protection area in digital forensics. It is a figure which shows the example of the screen display in the forensic tool for password analysis. It is a conceptual diagram which shows the example of the analysis software of a database reconstruction system. It is a figure which shows the time-sequential process in digital forensics.

Explanation of symbols

a server
b Terminal PC
c Monitoring device
d Printer / Fax MFP
e data
f Investigation target terminal
g Hard disk
h Inspector
i Evidence preservation
j Survey
k Network forensics
l Computer forensics
m Regular audit
n Data acquisition by log acquisition and packet capture
o Detailed investigation
p Error detection
q Narrow down abnormal devices
r Identify fraud
s Report
t Suspicious terminal t

Claims (5)

A method of digital forensics that organically combines network forensics and computer forensics. In the network forensics, a computer network composed of a large number of terminals is constantly monitored, and a log or data related to any terminal or a group of terminals of the computer network is compared with a predetermined condition to detect an abnormality in the log or data. Determine the presence or absence, analyze the log of the abnormality or the log of the data that was abnormal in the determination, conduct the selection of the terminal or terminal group to be investigated based on the analysis,
In the computer forensics, evidence preservation of the log or data related to the selected terminal or the terminal group is performed, the log or data subjected to the evidence preservation is analyzed, and an unauthorized person in the computer network is based on the analysis. 2. The method of digital forensics according to claim 1, wherein when the identification is made, the fraudulent person and the contents of the fraudulent act are reported. The digital forensic method according to claim 2, wherein the analysis is performed by determining a priority of investigation with reference to a result of the log analysis. When an abnormality related to E-mail is detected from the log analysis, an E-mail analysis is performed in the analysis. When an abnormality related to a keyword is detected from the log analysis, a keyword search is performed in the analysis. 4. The digital forensic method according to claim 3, wherein, when an abnormality relating to confidential information is detected from the log analysis, the analysis performs an important search relating to an application or a keyword relating to the confidential information. 5. A forensic IT security system for suppressing internal crimes or promoting an investigation in a computer system by the method according to claim 1.